Negotiate on Windows with cross-realm trust AD and MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Wed Jul 18 04:01:17 EDT 2007 

Hi All

That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with that
patch.

Now I only have the problem that mod_auth_kerb don't write my
credentials to KRB5CCNAME (in PHP).

My "kerbtray" under windows says it is Forwardable but no "Ok to
delegate", So I guess that is the problem.

Under linux they are forwardable.

------
[mkj at tux ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at HHK.DK

Valid starting     Expires            Service principal
07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK at HHK.DK
        renew until 07/19/07 09:16:49, Flags: FRIA
07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK at HHK.DK
        renew until 07/19/07 09:16:49, Flags: FRAO
07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk at CBS.DK
        renew until 07/18/07 09:17:04, Flags: FRAT
07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk at CBS.DK
        renew until 07/18/07 09:35:35, Flags: FRAT


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
--------


I found how to set ok-as-delegate for heimdal how is this done for MIT
kerberos ?

And how is it done under MS AD ?

/Mikkel


On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:

> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
> 
> > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> > may provide more information (Cannot allocate memory)
> 
> What OS and what Kerberoslibs do you use?
> Background of this question:
> 
> I've seen this errormessage "Cannot allocate memory"
> (and it's solution) in
> 
> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>
> 
> Achim

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.5-mech.patch
Type: text/x-patch
Size: 602 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070718/01be17ac/attachment.bin

More information about the Kerberos mailing list